NAFCU Services Blog

By: DefenseStorm 

One of the toughest questions to answer is always, “How much should we spend on cybersecurity”? The same question applies to any purchase, including insurance, cars, homes, and vacations. However, when it comes to budgeting for cybersecurity, it can be more of an uncertain or “grey” area because some of the funds may impact cybersecurity but are not directly allocated to the IT department. 

A quick Google search can yield a suggested IT budget spend ranging from 5% to 20%. The real answer? It depends on that particular financial institution (FI) – there is no “silver bullet” answer, and it leads to a whirlwind of questioning one’s decisions. If my FI doesn’t suffer a breach, are we spending too much? Could we have been equally protected, having spent less? If an incident occurs, did that mean we were not spending enough? A better question is, how do you know how much to spend and if it’s enough? Ultimately, where and how much you spend on cybersecurity really depends on your risk profile.  

Plan of Action 

Effectively allocating funds for cybersecurity begins with a holistic view of your FI’s overall risk. The first step is to perform a comprehensive risk assessment and then develop a risk management program. The process starts by identifying potential risks and threats to your organization and evaluating the impact of those risks. By quantifying the risk, you are one step closer to identifying where the budget needs to be spent. 

The word "quantify" is significant in this context. The better you can do this, the better you can measure and monitor. Therefore, it is important to have solutions in place that provide access and insight into data in real-time. This data can help you quantify risk more accurately and will lead to better budgeting and strategic decisions overall. Once the risks your organization faces have been identified and quantified, you can start building out the system of controls. Controls should be designed to mitigate risk down to a more palatable level than the raw, inherent risk you would be facing if you did nothing to mitigate it. Designing and implementing controls begins to build out your FI’s cyber risk management program.  

The next step is evaluating the effectiveness of those controls in mitigating the risk. You can evaluate the effectiveness of controls through internal (but independent) ongoing program monitoring exercises, as well as through external audits and other testing exercises for which a third party is engaged such as penetration testing exercises. The task of ensuring controls remain effective never stops – institutions must always be aware of whether controls are effective or if there are breakdowns occurring so real-time remediation can occur. Utilizing a centralized platform to facilitate and document ongoing program monitoring and governance can allow for consistency in how controls are tested and monitored for effectiveness. Coupling that solution with one that maintains scores for control effectiveness provides a more powerful weapon toward effective budgeting. With a solution that connects this evidenced approach to control effectiveness scoring, budgeting conversations with leadership, committees, and the board become supported, evidenced, and therefore more productive conversations. Without a robust system in place that allows you to evaluate controls, there is a lack of clarity in knowing where the budget should be spent or if the spending is having the expected results. Now, we’re getting closer to the good part – the budget.  

Let’s Talk Budget 

Once you have a solid, defendable assessment of how effective controls are at mitigating the inherent risk, you can identify what the residual risk is to your organization. By identifying these areas, you now know where your program needs to mature, where to target resources, and then budget conversations can begin.  

We can also look at this in terms of the standard formula for Residual Risk. Residual Risk is Inherent Risk minus the Mitigating Controls. Or,  

Residual Risk = Inherent Risk – Mitigating Controls. 

Resources and budget should be allocated to areas where residual risk is elevated or where residual risk exceeds your risk appetite. These are the areas where inherent risk is higher, and control effectiveness is weaker. Especially when those levels of risk exceed the board’s risk appetite. Where your program must grow and where you should spend, are the areas where risk exceeds the institution’s appetite. 

Residual Risk >= Risk Tolerance                   Add mitigating controls  

Residual Risk <Risk Tolerance                 Controls are appropriate 

We now have a much better idea of how to identify where controls need to be strengthened, and, thus, resources need to be allocated. Will these resources always pull from your budget? Maybe not. But this framework provides the right starting point for deciding where to allocate those precious budget dollars cybersecurity has been granted. Key in all these steps is ensuring we are communicating with all the necessary stakeholders in our organization. This goes back to the common thread that keeps coming up – utilizing data. Leveraging the evidence behind the control effectiveness serves as the data that fuels communications and will be key in getting buy-in from stakeholders and ensuring common understanding. With that buy-in, we get to participate in brainstorming how we manage our risks and setting priorities. That buy-in also ensures we can maintain open communication with our stakeholders. 

Allocating funds for cybersecurity planning can seem like a daunting task. However, with a strategic plan based on reliable data to address your FI’s specific needs, you can maximize the value of every dollar spent and create a powerful defense to stop attacks before they happen.